Another malicious Chrome extension recently came into the limelight for its unique abusive strategy. The extension primarily exploited the sync feature in Google Chrome to steal users’ data.
Chrome Sync Feature Exploited
Security researcher Bojan Zdrnja found the malicious browser extension targeting the Google Chrome browser. The extension basically exploited the Chrome Sync feature to steal the victim users’ information.
Briefly, the extension didn’t reach the target devices via the Chrome store. Rather the attackers dropped the extension directly to the systems in a folder and then loaded it from the browser. Since the browser already exhibits such a feature, “Load unpacked” (in developer mode), to upload extensions, it didn’t track the malicious browser as harmful.
The attackers created a fake extension that posed as Forcepoint Endpoint Chrome Extension for Windows to trick users.
Once installed, the extension would then abuse the sync feature to communicate with the C&C and steal data by logging token keys.
Since the extension is using chrome.storage.sync.get and chrome.storage.sync.save methods (instead of chrome.storage.local), all these values will be automatically synced to Google’s cloud by Chrome, under the context of the user logged in in Chrome. In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure!
Regarding why the attackers limited their attack vectors to an extension only, the researcher stated,
They wanted to manipulate data in an internal web application that the victim had access to. While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries.
Technical details about how the extension executed the attack are available in the researcher’s blog post.
Stay Wary Of Malicious Extensions
According to the researcher, blocking access to clients4.google.com might help to combat such abuse. However, this could cause other disruptions as Chrome browser relies on this site for multiple purposes.
Therefore, the researcher advises blocking and controlling Chrome extension installation via the group policy support feature.